The primary health care relationship between patients and doctors has expanded to include a wide range of parties: employers, health plans, consulting physicians and other health care providers, laboratories and hospitals, researchers and data organizations, and various governmental agencies. This multiparty relationship has fundamentally changed the use and privacy of health care information.

This change spurred the Patient Records Confidentiality Task Force, a group of representatives from the private sector and government facilitated by the Office of Information Practices (OIP), to draft legislation designed to bring comprehensive protection to medical records. Introduced in the 1999 state legislative session, House Bill 351 immediately sparked controversy.

After intense discussions by members of the public and private sector in committee hearings, the House passed the bill with only one dissenting vote. The Senate then passed it unanimously. On June 23, 1999, after one year of hard work and heated negotiations for the Task Force, Acting Governor Mazie Hirono signed the bill into law as Act 87 [click here for text of the law].

“Until adoption of this law, there was little statutory protection of patients’ medical information; information could be shared without a patient’s knowledge,” said Moya Gray, Director of OIP. “Hawaii’s new law gives patients real control over this type of sensitive information.”

In the early stages the Task Force could not agree on most provisions. For instance, some members wanted the medical records to be completely private, but other members wanted access to the records.

The group finally reached consensus and agreed that only certain parties could look at medical records and only for qualified health care operations. The Task Force believed that full and complete confidentiality between patient and doctor would not work in today’s health care industry, and that the review of medical information helped to improve the delivery of health care and further medical research.

Many Task Force members understood that some parties should have access to medical records. Health care insurers, for example, believe they have a responsibility to look at the medical record because patients pay for the coverage, and believe they have a fiscal duty to ensure proper payment for services rendered to the patient.

“The ideal of complete confidentiality within this doctor-patient relationship must give way to some degree because hardly anyone can afford to pay for all services,” said Task Force member Susan Chong Wong, executive director of the Hawaii Federation of Physicians and Dentists.

To achieve balance, the Task Force worked diligently to protect against inappropriate disclosure of medical records by stipulating conditions for disclosure within tightly drawn parameters, requiring individual consent for disclosure, and imposing strong sanctions for improper disclosure.

“The Task Force defined the necessary uses of health information very narrowly and treated these disclosures differently from others,” Gray said. “Information for these purposes may be used and disclosed without patients’ consent only if proper notice has been given.”

During testimony on this bill, however, many concerned citizens opposed the conditions which allowed limited disclosures of medical information. Some felt that the conditions went beyond the acceptable boundaries of privacy. They testified that health insurers and other parties could take advantage of a patient’s medical record because the bill allows certain parties access to the information.

Others testified that if this bill had not been introduced, patients’ privacy would continue to suffer because there was no comprehensive state or federal law to protect the privacy of medical information.

The bill was signed into law on June 23, 1999. The new law provides clear safeguards for an individual’s health care information. Access to the medical record must meet stringent conditions.

To educate the public about these conditions, the law sets up notice requirements that would inform a patient of his rights under the law. For example, a patient can “opt-out”–he can decide to pay the provider directly without going through the insurance contract. The patient can then prohibit disclosure of all medical information except as required by law. This notice will educate the public, and allow the public eventually to make appropriate choices themselves.

If a patient does decide to give consent to other parties, the law provides tough sanctions and legal action for parties who do not follow the terms of the consent. Patients thus hold the upper hand when it comes to their health care information and its disclosure.

Sanctions include severe criminal penalties for intentional and knowing violations and civil actions for money damages, including the possibility of punitive damages, attorneys fees, and other costs, which can be brought by individuals whose rights have been violated.

In short, this law gives control of medical record information to the patients. It gives patients the opportunity to educate themselves about which parties have the authority to look at their records, which disclosures require consent, and what actions patients can take if any violations occur.

Heidi Yeager Singh, a Task Force member and Legislative and Government Affairs Director of the Hawaii Medical Association, perhaps put it best: “This bill will empower patients by arming them with the knowledge and understanding of how their medical record information is used and the safeguards in place for the protection of their personal information.”

Note: A future Openline article will give an in-depth analysis of the new law.

Public Official Jailed for Public Records Law Violation in FloridaThe June 1999 issue of The Brechner Report reports that a county school board member in Pensacola, Florida, was found guilty of violating Florida’s public records law. In December 1998, the grand jury indicted the school board member for knowingly withholding public records from a mother of three public school children, who had publicly criticized the member’s actions and political beliefs.

The mother sought the records to better understand the member’s votes on school board issues, but the member denied the request, saying the records were confidential. The school board member was sentenced to 30 days in jail, fined $1,000, and ordered to pay $45 per month in probation costs and restitution to the school district for its expenses.

According to The Brechner Report, published by The Brechner Center for Freedom of Information, University of Florida, this is the second school board member convicted of an access law violation. In 1992, a Hernando County School Board member was found guilty of violating the Open Meetings Law, fined $322, and ordered to spend four hours studying the Government-in-the-Sunshine manual.

OIP Staff UpdateThe Office of Information Practices bids aloha to Staff Attorney Lynn Otaguro. Lynn was a valuable member of the OIP legal team from July 1997 to July 1999. She will now devote more time to family. We will miss Lynn’s sharp mind and bright personality. Most of all, we will miss the Starbucks coffee she would bring in to recharge our batteries. Best wishes, Lynn!

The staff welcomes a new Staff Attorney, John Cole, who joins the OIP from the office of Representative Ed Case. John graduated from high school in Hilo. A graduate of Washington University School of Law in St. Louis, John is originally from Michigan, so now we have to start cheering on the Spartans, Tigers, Lions, Pistons, and Red Wings.

The staff also welcomes Allan Bareng, our volunteer summer intern. Allan, who served in Senator Inouye’s office in Washington during the spring semester, is entering his senior year as a communications major at the University of Southern California. Allan’s article on the privacy of health care information begins on page one.

Recent OIP Opinion:DLNR Vessel Registration Application FormsDepartment of Land and Natural Resources (DLNR) vessel registration application forms are public after segregation of information which, if disclosed, would constitute a clearly unwarranted invasion of personal privacy. This includes home addresses, home telephone numbers, and dates of birth of registration applicants. For applications that have been granted, citizenship status of applicants should also be segregated. For applications that have been denied or are pending, names of applicants should be segregated.

Agencies cannot compel record requesters to make requests in writing; however, the OIP’s new administrative rules require that formal record requests be in writing. Agencies cannot require record requesters to answer certain questions prior to disclosure, such as how the information will be used. Finally, if both paper and electronic copies are maintained as government records, the agency should disclose the record in the form requested. [OIP Op. Ltr. No. 99-3, June 1, 1999]

Uniform Information Practices Act (UIPA) Record Requests:** To make a request for records maintained by the Office of Information Practices (and not records maintained by other agencies), click here for instructions.
** To make a request for records maintained by another agency, please contact the agency that maintains the records.

Accessibility:If you use assistive technology and the format of any material on our website interferes with your ability to access the information, please contact:

In your message, please indicate the nature of your accessibility problem, the preferred format in which to receive the requested material, the web address of the requested material, and your contact information so that we may best serve you.